What’s new in the OWASP Top 10 for 2023?
Security is top of mind in a lot of businesses. The threat landscape is so dangerous that everyone is looking for some way to lower their risk profile. That's one of the reasons why the OWASP Top 10 list is greeted with such enthusiasm — it lays out the most significant threats based on an assessment across many enterprises.
The Open Web Application Security Project (OWASP) is a nonprofit foundation that works to improve the security of software through community-led open-source software projects. It periodically releases the OWASP Top 10 list, which outlines the 10 most critical security concerns for web application security.
11 courses, 8+ hours of training
So what’s new on the OWASP Top 10 list for 2023? Well, the last update was in 2021, and it’s typically updated every three to four years. So the next update isn’t expected around 2025.
However, the 2021 list had significant changes. Instead of focusing squarely on vulnerability classification, the newest version introduces broader categories with more attention given to the degree of exploitability and the overall impact of a potential threat.
-
Broken access control
-
Cryptographic Failures
-
Injection
-
Insecure design
-
Security misconfiguration
-
Vulnerable and outdated components
-
Identification and authentication failures
-
Software and cata integrity failures
-
Security logging and monitoring failures
-
Server-side request forgery
Infosec Skills author John Wagnon spoke about the list on a recent Cyber Work Podcast.
"The top 10 list covers the biggest risks in the world of web applications today," said Wagnon. "When you look at the newest list, it's a bit broader, and they've really gone after the root cause rather than the symptom."
OWASP Top 10 changes
A new item on the list is cryptographic failures. It encompasses items that were part of the previous top 10 list, such as sensitive data exposure. Why? The reason that sensitive data is being exposed everywhere is usually because of underlying cryptography problems.
In the top position on the list is broken access control. Wagnon explained that the modern network deals with applications that are available to people working from home, operating in a coffee shop, doing tasks mid-flight or traveling to different customer sites, often internationally. That brings about countless access control challenges. Hence, broken access control has moved to the top of the chart.
"Number one is the most critical as the items of the OWASP list are in a criticality ranked order," said Wagnon. "However, it is important to understand that what comes up as the top 10 is based on input from companies around the world and may not necessarily be your organization's top 10."
Cryptographic failure is number two on the OWASP list, but it may be number one in a specific organization. Thus, the OWASP Top 10 list should be viewed as an awareness document that gives organizations an idea of the state of application security today.
Legacy applications
Several items from the list have been there for a great many years. After all, there are a great many applications out there that have been around for decades. Among web applications, for example, some were developed around the year 2000 that are still in use. They were created well before the advent of the cloud, virtualization, multi-core processors, containers and other modern innovations.
However, a surprising number of organizations still use these legacy web applications. They haven't gotten around to updating them for a variety of reasons. Some may even be critical to the business, such as a billing or inventory control application.
At the time they were created, security best practices for developers were poorly known. Thus, certain vulnerabilities are present that aren't going away anytime soon. That is one of the reasons why certain items on the OWASP list remain year after year.
Another reason for items persisting on the list is unchanging user behavior. Despite steadily improving user education on security and widespread implementation of security awareness training, some users continue to misbehave, are lax about security policy and remain susceptible to phishing scams that trick them into clicking on malicious links and attachments.
"One of the top attack vectors that attackers use is phishing, as it still works," said Wagnon. "People are taught not to use a weak password and not leave their computer unattended, but some still do."
He urged developers to adopt secure coding practices and standards. If each coder writes secure code, they do their part to make the world safer.
Career opportunities
Cybersecurity offers almost limitless job opportunities. But for new people, it may seem like a daunting place. They may need help figuring out where to start.
There are opportunities in patch management, secure coding, DevSecOps and many others. Within software development, there are opportunities in just about every vertical, every cloud platform and every category of application. The possibilities can range from apps for farming equipment companies to banks, insurance, retail and more.
"With broken access control as the number one security risk, access management experts should be able to write their own tickets," said Wagnon.
To learn more about the OWASP Top 10, check out John Wagnon’s OWASP Top Ten Learning Path in Infosec Skills.
Learn how to secure systems with 11 courses from Infosec Skills instructor and #1 best-selling author Ted Harrington.
- Hack your system
- Establish your threat model
- Spend wisely
- And more
In this Series
- What’s new in the OWASP Top 10 for 2023?
- DevSecOps: Moving from “shift left” to “born left”
- DevSecOps: Continuous Integration Continuous Delivery (CI-CD) tools
- Introduction to DevSecOps and its evolution and statistics
- MongoDB (part 3): How to secure data
- MongoDB (part 2): How to manage data using CRUD operations
- MongoDB (part 1): How to design a schemaless, NoSQL database
- Understanding the DevSecOps Pipeline
- API Security: How to take a layered approach to protect your data
- How to find the perfect security partner for your company
- Security gives your company a competitive advantage
- 3 major flaws of the black-box approach to security testing
- Can bug bounty programs replace dedicated security testing?
- The 7 steps of ethical hacking
- Laravel authorization best practices and tips
- Learn how to do application security right in your organization
- How to use authorization in Laravel: Gates, policies, roles and permissions
- Is your company testing security often enough?
- Authentication vs. authorization: Which one should you use, and when?
- Why your company should prioritize security vulnerabilities by severity
- There’s no such thing as “done” with application security
- Understanding hackers: The insider threat
- Understanding hackers: The 5 primary types of external attackers
- Want to improve the security of your application? Think like a hacker
- 5 problems with securing applications
- Why you should build security into your system, rather than bolt it on
- Why a skills shortage is one of the biggest security challenges for companies
- How should your company think about investing in security?
- How to carry out a watering hole attack: Examples and video walkthrough
- How cross-site scripting attacks work: Examples and video walkthrough
- How SQL injection attacks work: Examples and video walkthrough
- Securing the Kubernetes cluster
- How to run a software composition analysis tool
- How to run a SAST (static application security test): tips & tools
- How to run an interactive application security test (IAST): Tips & tools
- How to run a dynamic application security test (DAST): Tips & tools
- Introduction to Kubernetes security
- Key findings from ESG’s Modern Application Development Security report
- Microsoft’s Project OneFuzz Framework with Azure: Overview and concerns
- Software maturity models for AppSec initiatives
- Best free and open source SQL injection tools [updated 2021]
- Pysa 101: Overview of Facebook’s open-source Python code analysis tool
- Improving web application security with purple teams
- Open-source application security flaws: What you should know and how to spot them
- Android app security: Over 12,000 popular Android apps contain undocumented backdoors
- 13 common web app vulnerabilities not included in the OWASP Top 10
- Fuzzing, security testing and tips for a career in AppSec
- 14 best open-source web application vulnerability scanners [updated for 2020]
- 6 ways to address the OWASP top 10 vulnerabilities
- Ways to protect your mobile applications against hacking
- Introduction to the OWASP API Top Ten
Get certified and advance your career
- Exam Pass Guarantee
- Live instruction
- CompTIA, ISACA, (ISC)², Cisco, Microsoft and more!
Application security
Application security
DevSecOps: Continuous Integration Continuous Delivery (CI-CD) tools
Application security
Application security